Carl spoke about BSIMM – the Build Software In Maturity Model. This is an open source tool, developed by Cigital and Fortify, by which companies can measure their secure development maturity level based on data from peer companies. The idea is to collect data from as many companies as possible to advance a collective understanding about how secure development is being done.

From August through the end of year, 2011, there were 3 events, one at PG&E in downtown San Francisco, and another at a restaurant in the financial district in San Francisco. But, the highlight of the autumnal Bay Area OWASP events was this one, held on November 30:

From August through the end of year, 2011, there were 3 events, one at PG&E in downtown San Francisco, and another at a restaurant in the financial district in San Francisco. But, the highlight of the autumnal Bay Area OWASP events was this one, held on November 30:

−

November 30, 2011

+

= November 30, 2011 =

Stanford Campus, Alumni Center, Lane/Ladato rooms

Stanford Campus, Alumni Center, Lane/Ladato rooms

Line 53:

Line 154:

----------------------------------

----------------------------------

+

+

= July 1, 2010 =

OWASP Bay Area will host its next Application Security Summit at the SAP Offices in Palo Alto on July 1st, 2010. As usual attendance is free and food and beverages will be provided. This is an excellent event with great speakers and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

OWASP Bay Area will host its next Application Security Summit at the SAP Offices in Palo Alto on July 1st, 2010. As usual attendance is free and food and beverages will be provided. This is an excellent event with great speakers and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

Carl spoke about BSIMM – the Build Software In Maturity Model. This is an open source tool, developed by Cigital and Fortify, by which companies can measure their secure development maturity level based on data from peer companies. The idea is to collect data from as many companies as possible to advance a collective understanding about how secure development is being done.

From August through the end of year, 2011, there were 3 events, one at PG&E in downtown San Francisco, and another at a restaurant in the financial district in San Francisco. But, the highlight of the autumnal Bay Area OWASP events was this one, held on November 30:

Jason Chan - Practical Cloud Security Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage. Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities. This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include: • Using public cloud automation and APIs to enhance security visibility • Netflix’s “Security Monkey” tool for cloud security monitoring and alerting • Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization • Netflix’s model-driven architecture for securing and managingsystems and applications • Call to action: Cloud Security Gap Analysis and Next Steps

Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

David Fifield - Evading censorship with browser-based proxies Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

Abraham Kang - DOM-based XSS and output encoding An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.
Previous Event

SPONSORS: Special Thanks to our host and sponsor - Mozilla Foundation. This is an archive page of all the Bay Area OWASP past events. The chapter home is at Bay Area.

July 1, 2010

OWASP Bay Area will host its next Application Security Summit at the SAP Offices in Palo Alto on July 1st, 2010. As usual attendance is free and food and beverages will be provided. This is an excellent event with great speakers and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

We have an excellent line-up of speakers.

Please note that due to security issues, your must pre-register. Badges will be ready for the registered attendees at the lobby where you will check in.

Drive By Downloads: How To Avoid Getting A Cap Popped In Your App: Which browser do you claim? What color is your screen-saver? It is a world wide hood out there, don’t let yourself become the next victim of a drive by… a drive by download. Email attachments have become synonymous with computer viruses and consumers have become accustom to questioning the legitimacy of email touting male enhancement drugs and lottery winnings. This means hackers are having to come up with new ways to distribute malware. Today, just by loading an infected webpage of from a legitimate website, a virus can be downloaded without any other interaction and will often go undetected. Once the virus is on a PC, hackers can access the computer remotely and steal sensitive information like banking passwords, send out spam or install more malicious executables.

In this talk, we describe in technical detail the "anatomy of a modern web-based malware attack." Web-based malware attacks have evolved significantly over the past 4 years. We present the state-of-the-art in web-based malware attacks and describe how the techniques used have evolved over time. Bio - Neil Daswani is a co-founder of Dasient, Inc., a security company backed by some of the most influential investors in Silicon Valley and New York. In the past, Neil has served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). He has published extensively, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g. More information about Neil is available at http://www.neildaswani.com.

Building Secure Web Applications: This presentation will go over core principles involved in launching secure web applications and effectively managing security in a cloud services environment. We will discuss best practices for implementing security programs, review examples of things done right and wrong, and address specific steps required for creating and maintaining a sustainable security framework for your web applications. Bio - Misha Logvinov is the Vice President of Online Operations at IronKey. In this position, Mr. Logvinov and his team are responsible for designing, implementing and supporting a highly-scalable mission critical infrastructure for IronKey's next-generation security products and services. Mr. Logvinov brings to IronKey over a decade of management experience in information technology, operations and security. Throughout his career, he has been responsible for implementing hundreds of customer solutions, supporting millions of online users, managing complex backoffice applications and building some of the world's most secure online service environments. Prior to IronKey, Mr. Logvinov spent six years at Yodlee, one of the leading online financial service providers. He held various management roles during his tenure, most recently, as Director of Operations Delivery. Mr. Logvinov's earlier experiences included IT management at Outcome, Inc. and INTERSHOP Communications. Mr. Logvinov holds a BA in Business Administration from Plekhanov Russian Academy of Economics. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).

Bio - Alex Bello has been involved in the computer security field for the last six years with over ten years of combined experience in technical operations, web application development and security. Mr. Bello is currently serving as the Director of Technical Operations and the Product Security Team Lead at IronKey. Mr. Bello is responsible for architecture, operations and security management of the IronKey online services portfolio as well as IronKey products security testing and research. Prior to IronKey, Mr. Bello spent over three years consulting for various security organizations on infrastructure architecture, security research and web application development projects. Earlier in his career, Mr. Bello managed technical operations at one of the biggest online social marketplaces. In addition to his work at IronKey, for the last five years Mr. Bello has been responsible for technical operations and engineering at Anti-Phishing Working Group (APWG) supporting data aggregation, processing and consumption technologies behind one of the largest anti-phishing UBLs.

Cloudy with a chance of a hack: Cloud computing is a cost effective and efficient way for enterprises to automate their processes. However organizations need to be aware of the pitfalls of the many cloud computing solutions out there - one of the main ones being security. Most of these solutions were built for ease of use and without necessarily security in mind. Companies should ask the solution provider the security measures used in developing the application and get an independent verification to make sure there are no gaping holes. With over 75% of attacks occurring through the Web, any attack through these applications can lead to leakage of confidential information and embarrassment. Bio – Lars Ewe: Chief Technology Officer and VP of Engineering for Cenzic. Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

Application Security Deployment Tradeoffs: Application security tradeoffs and choices are made at various stages of application design, development and deployment. This talk will cover deployment aspects of application security. Based on experience in designing, developing and deploying application security solutions and products for the past 10 years, I will do a case study based analysis of security costs and tradeoffs. Specifically, we will correlate security choices during deployment with our observations regarding the relatively higher adoption of security features and products that have an incremental deployment plan over those that are more intrusive and/or are operationally more expensive. Bio – Anoop Reddy Anoop Reddy has been working in Security and Application Firewalls for the past 8 years and has led many innovations as part of Teros and Citrix. He was the Architect and Technical Lead at Teros and now manages the Engineering Development for the Application Firewall product lines at Citrix.

MashSSL - Extending SSL for securing mashups: In this presentation we will describe MashSSL and how it can be used to solve a fundamental Internet security problem - when two web applications communicate through a potentially un-trusted user they do not have any standard way of mutually authenticating each other and establishing a trusted channel. MashSSL is a new multi-party protocol that has been expressly designed to inherit the security properties of SSL, and to be able to leverage its trust infrastructure. We will also discuss how this can be used to secure a variety of multi-party environments including mashups using Cross-domain XHR, OpenAJAX, as well as scenarios such as OpenID and OAuth. Bio – Siddharth Bajaj is researching new technologies in the areas of Internet Trust, Identity and Authentication including how these can be applied to solve problems in verticals such as healthcare, online content and cloud computing. Siddharth has been with VeriSign since 1999 and has fulfilled variety of technical leadership roles. He was involved in the development of the VeriSign PKI services platform as well as the early conceptualization and architecture of more recent VeriSign products such as UA and VIP.